Update: Out of an abundance of caution, we yanked 0.18.2 pending internal security review. To reiterate, we do not believe the issues reported about 0.18.1 are caused by any internal bugs, but the seriousness of those reported issues warranted being extremely careful. We have released 0.18.3 to address some minor issues found. The original post continues below:
Hi everyone,
We’ve released ic-cdkv0.18.2 with important compatibility improvements. To be clear: there are no known bugs in the recent releases. What we’ve discovered is a pre-existing compatibility issue that we’ve now addressed more effectively.
What Happened
The issue some users experienced wasn’t due to a bug in ic-cdk 0.18 itself. Rather, it occurred when projects inadvertently used dependencies that relied on different major versions of ic-cdk (specifically 0.17.x alongside 0.18.y). This version mismatch could be easily overlooked during development but cause problems at runtime.
What We’ve Improved
We’ve factored out the async executor into a separate library called ic-cdk-executor, making ic-cdk 0.18.2 compatible with future releases.
There are new patch versions for every major release between 0.8 and 0.17, making those releases compatible with each other. All existing versions for those major releases have been yanked.
Most importantly, you’ll now receive a clear compile-time error linking directly to our troubleshooting guide if:
your dependency tree contains both 0.17 (or any prior version) and 0.18.
you have updated to the new patch releases
Recommended Actions
We encourage all users to update to the latest patch version within your major release series. It will ensure that there are no hiccups if a dependency uses a different version of ic-cdk.
If you haven’t migrated to 0.18 yet, you can find the migration guide from 0.17→0.18 here.
Thank you for your understanding and continued support.
version conflicting with ic-canister-sig-creation:
cargo update
Updating crates.io index
error: failed to select a version for `ic-cdk-executor`.
... required by package `ic-cdk v0.17.2`
... which satisfies dependency `ic-cdk = "^0.17"` of package `ic-canister-sig-creation v1.2.0`
... which satisfies dependency `ic-canister-sig-creation = "^1.2"` of package `ic_cose_canister v0.8.3 (/Users/zensh/git/github.com/ldclabs/ic-cose/src/ic_cose_canister)`
versions that meet the requirements `^0.1.0` are: 0.1.0
This is indeed what we want to detect that you don’t depend on ic-cdk v0.18 and v0.17 at the same time.
IIUC, the cargo update command was executed in the ic-cose project.
It declares the direct ic-cdk dependency with 0.18.
While the other dependency ic-canister-sig-creation depends on ic-cdk v0.17.
You should have gotten more message following the errors you included above.
Only one package in the dependency graph may specify the same links value. This helps ensure that only one copy of a native library is linked in the final binary. Try to adjust your dependencies so that only one package uses the links = "ic-cdk async executor, see https://github.com/dfinity/cdk-rs/blob/links-pin/TROUBLESHOOTING.md" value. For more information, see Dependency Resolution - The Cargo Book.
So for now, you can either:
Downgrade the direct dependency of ic-cdk to v0.17.2.
Wait for a new release of ic-canister-sig-creation that depends on ic-cdk v0.18.2.
I get the same issue with ic-canister-sig-creation and also ic-verifiable-credentials.
I can see that the CDK has already been bumped to 0.18 in ic-canister-sig-creation (see here), the new version just needs to be published. For now we can just switch to using a git dependency.
I’ll make a PR to ic-verifiable-credentials to bump the CDK version.
Edit: Ah it turns out ic-verifiable-credentials also depends on ic-canister-sig-creation. @lwshang do you know who at Dfinity can publish the latest version of ic-canister-sig-creation to crates.io? I’d prefer to make a PR to ic-verifiable-credentials which switches to a released version rather than to a git dependency.
Edit 2: I think the IC repo will need to be fully updated first because ic-verifiable-credentials depends on ic-signature-verification which comes from the IC repo. So I guess for now I’ll just do nothing until the IC repo is updated.
Update: Out of an abundance of caution, we have temporarily yanked 0.18.2 pending internal security review. To reiterate, we do not believe the issues reported about 0.18.1 are caused by any internal bugs, but the seriousness of those reported issues warrants being extremely careful. If you wish to test 0.18.2 out locally, you can depend on the release 0.18.2-alpha.1. We expect to soon unyank 0.18.2 if no issues are discovered, and we apologize for any confusion.
Hey,
When can we expect to have this done ? I just spent one day to update all crates and repository, and i’m stuck on one of our repository because of icrc-ledger-types is not yet updated with the last ic-cdk version.
Thanks !
ic-ledger-types seems to be fine, but icrc-ledger-types still depend on 0.17.2 : crates.io: Rust Package Registry.
Or maybe im wrong and i have to dig more. Can you confirm you are using icrc-ledger-types and no ic-ledger-types
It seems 0.1.8 of icrc-ledger-types did not depend on ic-cdk, but 0.1.9does. It doesn’t seem to be used though - maybe it was added by accident, or should only be a dev-dependency. I’ll dig a bit deeper - in case it can be removed completely, we’ll look into publishing a new version.
ah ok i was using the latest version as mathias said. With icrc-ledger-types = “0.1.8” it’s working correctly. Will use that version now, and we will see if this new dependencies was necessary or not. THanks both of you !
.